Opinion: Enterprise Security Architecture as a discipline – the three viewpoints.

Enterprise Security Architecture for an organisation as a discipline is required to outline an enterprise wide risk-driven approach to information security and deliver infrastructure solutions in response to the organisations threat profile. Enterprise Security Architecture is required to drive and support the standardisation and management of an organisations information security discipline.

Enterprise Security Architecture is a term used loosely by organisations today, and depending on the maturity of the discipline, it may be limited to a technology only function that looks to address the organisations security concerns through technical solutions, that provide point in time protection without an appreciation of a broader strategy encompassing the ever important people and process domains.

As an example, for a web based business the focus is availability and continuous uptime, the Enterprise Security Architecture for such an organisation will be focused at a minimum on the protection of its web servers, ensuring the associated web applications are secured and not susceptible to man in the middle or SQL injection attacks, further this organisation would ensure that technology controls are in place to prevent a Distributed Denial of Service (DDOS) Attack.

Alternatively, if an organisations core business is manufacturing and distribution, the core focus will be on the protection of core systems, the unavailability of which will have an impact on its corresponding manufacturing cycles and in turn adversely affect the distribution of its products. The protection of these systems may be a mixture of network, hosting and end point technologies with potentially minimal appreciation of supporting people and process controls. The protection mechanism and the corresponding security architecture for these two organisations will be different when compared to the security architecture at a financial services organisation that is required to address the security concerns and manage the treat vectors across people, process and technology domains.

In my view a comprehensive Enterprise Security Architecture should focus across people, process and technology domains, but additionally have three distinct views that explain information security from multiple aspects including but not limited to a ‘Business Viewpoint’, ‘Technology Management Viewpoint’ and ‘Security Practitioners Viewpoint’ addressing the requirements across people, process and technology domains.

The Business viewpoint of an Enterprise Security Architecture should provide for an understanding of the Governance, Risk and Compliance (GRC) posture of information security at an executive level, followed through by an appreciation of the required People and Identity factors that influence information security. In addition, the business viewpoint of enterprise security architecture should highlight the organisations Information Assets and the threat posture of its IT Infrastructure including but not limited to network components, server instances and end points.

The Technology Management and Security Practitioner viewpoint should build on the Business viewpoint and explain in detail the requirements and principles for information security management supported by the organisations security policy, standards that include identity and access management, threat and vulnerability management operating procedures, and a framework for security reporting.

The Security Practitioner view will specifically focus on and provide details of the security capability and associated infrastructure components that are required to support the management view and the business view by detailing in no particular order the;

The Enterprise Security Architecture within an organisation should ensure that the above viewpoints are understood and not be limited to a technology only function. A successful Enterprise Security Architecture should provide guidance across the three domains of people, process and technology to ensure that the organisation continues to operate anytime and anywhere in a secure manner whilst maintaining a competitive compliance posture.

Copyright 2016 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.